In the example of Section 3.2.1, the main definitions are:
A(M) =∆ cABh{M}KABi B =∆ cAB(x).case x of {y}KAB in F(y) Inst(M) = (∆ νKAB)(A(M)|B) Bspec(M) ∆ = cAB(x).case x of {y}KAB in F(M) Instspec(M) ∆ = (νKAB)(A(M)|Bspec(M))
For the example of Section 2.3.1, which does not use cryptography, the proof of authenticity is simply a proof of strong bisimilarity. We cannot
proceed analogously for the example of Section 3.2.1, because in factInst(M) and Instspec(M) are not strongly bisimilar; instead, we prove thatInst(M)
andInstspec(M) are barbed congruent.
Proposition 14 For any closed term M, Inst(M)'Instspec(M).
Proof We prove thatInst(M)∼Instspec(M); the claim then follows since
barbed congruence implies testing equivalence according to Proposition 7. Suppose thatRis some arbitrary closed process andM is some arbitrary closed term. Without loss of generality, we assume that KAB ∈/ fn(R).
Below we show that:
(cABh{M}KABi |B |R)
•
∼ (cABh{M}KABi |Bspec(M)|R) (2)
By Proposition 5(4), it follows that: (νKAB)(cABh{M}KABi |B |R) • ∼ (νKAB)(cABh{M}KABi |Bspec(M)|R) SinceKAB ∈/ fn(R), we have: Inst(M)|R ≡ (νKAB)(cABh{M}KABi |B |R) and similarly:
Instspec(M)|R ≡ (νKAB)(cABh{M}KABi |Bspec(M)|R)
Since barbed equivalence respects structural equivalence (by Proposition 5), we obtain:
Inst(M)|R ∼• Instspec(M)|R
By the definition of barbed congruence, we conclude:
Inst(M) ∼ Instspec(M)
It remains to give a proof of equation (2). For this proof, we let σ = [{M}KAB/x] and introduce the following relationS:
P S Q iff P =B |R1σ and Q=Bspec(M)|R1σ
for someR1 such thatx:{−}KAB `R1
Intuitively, the processR1σ represents bothAand an attacker that does not
haveKAB. We prove thatS ∪∼• is a barbed bisimulation. This amounts to
showing that ifP SQ thenP and Qcan each match the other’s barbs and reactions.
IfP S Qthen there existsR1such thatP =B |R1σandQ=Bspec(M)|
(1) P ↓cAB (fromB),
(2) P ↓β ifR1σ↓β.
ClearlyQexhibits these barbs too. The reactions of P are: (1) ifR1σ cAB −→(ν~n)hNiR0 and P0≡(ν~n)(case N of {y}KAB in F(y)|R0) thenP →P0, (2) ifR1σ τ −→R0 and P0 ≡B |R0 then P →P0.
(One can calculate these reactions via the commitment relation and Propo- sition 3. Without loss of generality, we assume that the names~nare fresh.) We show that, in each case,Q can match these reactions ofP.
(1) One of the reactions of Qis:
Q→Q0 = (∆ ν~n)(case N of {y}KAB in F(M)|R0)
Now it suffices to show that P0 ∼• Q0. By Lemma 9(2), there exists
R01 such that x:{−}KAB ` R01 and R01σ = (ν~n)hNiR0. Therefore, R01
must have the form (ν~n)hN0iR0 with N =N0σ,R0 =R0σ, and both
x:{−}KAB ` N0 and x:{−}KAB ` R0. Since x:{−}KAB ` N0, either
N0σ is{M}KAB (ifN0 isx) orN0σ is not a ciphertext encrypted with
KAB.
In the former case, we have:
P0 ≡ (ν~n)(case {M}KAB of {y}KAB in F(y)|R
0) ≡ (ν~n)(F(M)|R0)
≡ (ν~n)(case {M}KAB of {y}KAB in F(M)|R0)
≡ Q0
In the latter case, decryption gets stuck, and by appeal to Proposi- tions 5 and 8 we get:
P0 ≡ (ν~n)(case N of {y}KAB in F(y)|R0) • ∼ (ν~n)(0|R0) • ∼ (ν~n)(case N of {y}KAB in F(M)|R 0) ≡ Q0
(2) One of the reactions ofQis:
Q→Q0 =∆ Bspec(M)|R0
Now it suffices to show thatP0 ∼S• ∼• Q0. By Lemma 9(2), there exists
R01 such thatx:{−}KAB `R01 andR01σ =R0. Therefore, (B |R0)S Q0,
and henceP0≡S≡Q0.
Almost identical reasoning shows thatP can match the barbs and reactions ofQ. We conclude that S ∪∼• is a barbed bisimulation, so S ⊆∼•.
In order to derive equation (2), we letR1 =cABhxi |R. We obtain:
cABh{M}KABi |B |R ≡ B |R1σ
S Bspec(M)|R1σ
≡ cABh{M}KABi |Bspec(M)|R
Equation (2) follows since S ⊆∼• and by Proposition 5. 2
For proving secrecy, we adopt the same general strategy as in Section 6.1. We first prove a restricted version of the secrecy property:
Lemma 15 Inst(M) ' Inst(M0) if F(x) is ch∗i, for any closed terms M
and M0.
Proof Almost exactly as in the proof of Proposition 14, it suffices to prove
the equation:
(cABh{M}KABi |B |R)
•
∼ (cABh{M0}KABi |B|R) (3)
for any closed process R such that KAB ∈/ fn(R), and any closed terms M
andM0.
For the proof of this equation, we let σ = [{M}KAB/x] and σ0 =
[{M0}KAB/x], and introduce the following relation S:
P S Q iff P =B |R1σ and Q=B |R1σ0
for someR1 such thatx:{−}KAB `R1
The relation {(R1σ, R1σ0) | x:{−}KAB ` R1} is a barbed bisimulation, ac-
cording to Proposition 10. We prove that S ∪∼• is a barbed bisimulation. This amounts to showing that if P S Q thenP and Q can each match the other’s barbs and reactions.
IfP SQ then there existsR1 such thatP =B|R1σ and Q=B |R1σ,
(1) P ↓cAB (fromB),
(2) P ↓β ifR1σ↓β.
Clearly Q exhibits these barbs too, since R1σ and R1σ0 are in a barbed
bisimulation. The reactions ofP are: (1) ifR1σ
cAB
−→(ν~n)hNiR0 and P0 ≡(ν~n)(case N of {y}KAB in ch∗i | R0)
thenP →P0, (2) ifR1σ
τ
−→R0 and P0 ≡B |R0 then P →P0.
(As in the proof of Proposition 14, we assume that the names~nare fresh.) We show that, in each case,Q can match these reactions ofP.
(1) By Lemma 9(2), there exists R01 such that x:{−}KAB ` R10, R01σ =
(ν~n)hNiR0, and R1σ0
cAB
−→ (ν~n)hN0σ0iR0σ0. Therefore, R01 must have
the form (ν~n)hN0iR0 withN =N0σ,R0 =R0σ, and bothx:{−}KAB `
N0 and x:{−}KAB `R0. Since R1σ0
cAB
−→(ν~n)hN0σ0iR0σ0, we have:
Q→Q0= (∆ ν~n)(case N0σ0 of {y}KAB in ch∗i |R0σ0)
Now it suffices to show that P0 ∼• Q0. Since x:{−}KAB ` N0, either
N0σ and N0σ0 are{M}KAB and {M0}KAB respectively (if N0 is x) or
N0σ and N0σ0 are not ciphertexts encrypted withKAB.
In the former case, we have:
P0 ≡ (ν~n)(case {M}KAB of {y}KAB in ch∗i |R0) ≡ (ν~n)(ch∗i |R0) = (ν~n)(ch∗i |R0σ) • ∼ (ν~n)(ch∗i |R0σ0) ≡ (ν~n)(case {M0}KAB of {y}KAB in ch∗i |R0σ0) ≡ Q0
The step (ν~n)(ch∗i | R0) ∼• (ν~n)(ch∗i | R0σ0) is justified by Proposi-
tion 10, sincex:{−}KAB `(ν~n)(ch∗i |R0).
In the latter case, decryption gets stuck, and by appeal to Proposi- tions 5 and 8 we get:
P0 ≡ (ν~n)(case N of {y}KAB in ch∗i |R0)
•
= (ν~n)(0|R0σ) • ∼ (ν~n)(0|R0σ0) • ∼ (ν~n)(case N0σ0 of {y}KAB in ch∗i |R0σ0) ≡ Q0
The step (ν~n)(0|R0) ∼• (ν~n)(0|R0σ0) is justified by Proposition 10,
sincex:{−}KAB `(ν~n)(0|R0).
In both cases, we obtainP0 ∼• Q0 by Proposition 5.
(2) By Lemma 9(2), there existsR01 such thatx:{−}KAB `R01,R01σ=R0,
andR1σ0 −→τ R01σ0, so:
Q→Q0=∆ B|R01σ0
Clearly, (B |R0)SQ0, and hence P0 ≡S≡Q0.
The proof thatP can match the barbs and reactions ofQis symmetric. We conclude thatS ∪∼• is a barbed bisimulation, soS ⊆∼•.
In order to derive equation (3) we let R1 =cABhxi |R. We obtain:
cABh{M}KABi |B |R ≡ B |R1σ
S B |R1σ0
≡ cABh{M0}KABi |B |R
Equation (3) follows since S ⊆∼• and by Proposition 5. 2
The full secrecy property follows.
Proposition 16 Inst(M) ' Inst(M0) if F(M) ' F(M0), for any closed
termsM and M0.
Proof The proof is exactly analogous to that of Proposition 13, and relies
on Proposition 14, Lemma 15, and the equation:
Instspec(N)'(νc)(Inst(N,(x)ch∗i)|c(y).F(N))